What is Bad Rabbit Ransomware?

October 26, 2020

It’s rabbit season – Bad Rabbit, that is. Bad Rabbit is the bastard spawn of ransomware Petya/NotPetya and has hopped its way around the world, taking down servers in Russia and Ukraine before moving onto Turkey, Asia, and the United States. Bad Rabbit ransomware puts a lock on the devices, files, or servers of their victims, preventing them from regaining access until they are able to pay the required ransom. While this virus has been floating around for a few years now, organizations should still know how to protect themselves from an attack. Keep reading to learn what Bad Rabbit ransomware is, how it works, and how you can stave off an attack.

What is Bad Rabbit Ransomware and How Does it Work?

Bad Rabbit first appeared in 2017 as a variant of the Petya/NotPetya ransomware. What’s different in this ransomware attack, however, is that Bad Rabbit abuses DiskCryptor, a perfectly legitimate application for disk encryption, thus making it exempt from security checks by anti-virus software, sandboxes, and other outdated or detection-based solutions. In addition, Bad Rabbit has the ability to hide its capabilities when it passes through a sandbox to cut off user access to Windows Office, image, video, audio, email, and archive files – which can only be “redeemed” with the payment of ransom.

According to those who have seen it in action, Bad Rabbit gets installed on a system when a victim runs a phony Adobe Flash Player installer posted on a hacked website. Upon infection, the malware drops a DLL and executes it using rundll32.exe. This DLL, the main module of Bad Rabbit, is in charge of several tasks including: Dropping further elements in the form of another DLL and executable, scanning the LAN to propagate further attacks, and setting up scheduled tasks that will run the dropped executable.

What Happens When a Bad Rabbit Attack is Deployed

Once all files have been encrypted, Bad Rabbit installs a bootlocker and a system shutdown is scheduled – with the reboot defaulting to a ransom message, demanding the payment of .05 bitcoin (about $275 at today’s exchange rate) for the unlock code. As the price point here is pretty low, the hackers are banking on the vast majority of victims paying up – a very likely eventuality, as Kaspersky reports over half of ransomware victims pay the ransom. 

The encryption itself is very professionally done, with a strong encryption algorithm, and the encrypted files contain no visible patterns. When the ransom is paid, the victim gets a key to release the bootlocker and actually get to the hard drive. A second key unlocks the files. In a way, it’s a bizarre twist on twofactor authentication – relying on the likelihood that victims won’t even try to liberate their files on their own if there are multiple roadblocks in their way. 

The professional design and approach to the encryption (a relatively sophisticated “customer service” group needs to be in place to support the decryption process, which entails numerous technical steps) indicate that the group behind Bad Rabbit is very sophisticated.

Understanding the Bad Rabbit Bloodline

We call Bad Rabbit the “bastard spawn” of Petya/NotPetya because it has some similarities – and dissimilarities – to that overwhelmingly successful attack. Like its parent, Bad Rabbit encrypts files on the infected machine and demands a ransom, utilizing an additional bootlocker to lock the machine until the ransom has been paid. It is also capable of moving laterally using SMB in order to infect other machines in the organization. And, the Bad Rabbit bootlocker, as well as the kernel modules used, appear very similar to the one used in Petya/NotPetya.

Regardless of the bloodline running from Petya/NotPetya to BadRabbit, as well as the true motives of its authors, it appears that its authors have put some hard work into it, have done their homework, and learned from previous mistakes. In addition, they have come up with some interesting twists, such as using a legitimate encryption application to sneak past conventional end-point solutions. Further research will no doubt shed more details on this threat to cybersecurity.

How Votiro Can Protect Your Organization From Bad Rabbit

Your organization should not have to sit around in fear, wondering if a ransomware attack such as Bad Rabbit is always lurking around the corner. At Votiro, our Secure File Gateway leverages file sanitization to prevent such files from ever entering your network. With our Positive Selection technology, each file that is downloaded, uploaded, or transferred from your network is dissected to ensure only the safest elements are able to enter. This way, you can breathe easy knowing that a virus won’t randomly infiltrate your network. And with threats such as Bad Rabbit floating around, you’ll want the added peace of mind. 

Interested in learning more about how our Secure File Gateway works? Schedule a demo with us, or feel free to contact us today.